Content-Security-Policy: default-src *.example.com
